Keeping Data on the Radar: BCBS 239 Principles Still a Work in Progress

“Where is the wisdom we have lost in knowledge? Where is the knowledge we have lost in information?” Within the Basel Committee of Banking Supervision’s (BCBS’s) 2013 report, that excerpt from T.S. Elliot’s “The Rock” is not a mechanism to inspire but rather a warning that muddled data and a lack of structure in data practices can lead to a loss of key information that may mitigate a market disaster. Based on the contents of a new RDARR progress report released in June 2018, it seems the Committee’s cautionary message has evolved into criticism.

In a rebuke to the banking industry, the Committee called progress on implementation of BCBS 239 principles “marginal,” deeming it “unsatisfactory.” The report points out that only three global systemically important banks (G-Sibs) are fully compliant with RDARR principles and that some banks fail to demonstrate “the commitment needed to meet project deadlines.” The European Central Bank (ECB) similarly claimed industry compliance with BSBS 239 was “unsatisfactory” and “a source of concern” in a May 2018 review on effective risk data aggregation and risk reporting.

Unprescribed Principles

The BCBS designed RDARR’s 14 principles in the wake of the financial crisis to force the industry to address poor data management structures and in turn, create a robust data framework to effectively aggregate risk.

“It’s clear that the regulation is telling you one thing and one thing only: You need to be good at data. But being good at data is a very tall order for the majority of the firms in the market because of the historical heritage of bad data or data debt that everyone has accumulated,” says Roberto Maranca, former chief data officer (CDO) at Lloyds and GE Capital International.

The RDARR principles are different from other regulations because they are not a concrete set of standards to follow, but rather, preconditions. Principles one and two, data governance and data architecture, are key challenges because without robust governance plans or upgrades to old systems, implementing the other 12 principles will be tough.

“This is not a regulation that requires you to deliver a product. Under Mifid II transaction reporting, for example, the requirement was to build datafeeds to send to a regulatory repository. BCBS is basically a directive to change your culture,” says Cian Ó Braonáin, global regulatory practice lead at Sapient Consulting. “The project itself should be a phase one iteration of ‘business as usual,’ then jump straight into better data management, defining it for the organization, and then embedding it around existing processes that are put in place for defining risk models, creating new reports or changing risk appetites.”

In their 2018 report, the Committee acknowledged that they did not create a prescriptive outline for how to implement the principles, because risk management and data aggregation practices vary across banks and are dependent upon on structure and risk profiles. However, creating a set of “golden rules” that outlines data governance standards is difficult without clarity on what the rules should be or without a historical use case, says Nels Ylitalo, director of product strategy regulatory solutions at FactSet.

“Translating principles into compliance can really be a challenge. It requires a lot of heavy duty analysis and interpretation, especially in a setting where compliance is going to be judged on an institutional and situational basis. It’s going to be harder for decision-makers to know what industry consensus is and benchmark off of that,” he says.

Culture Crash

Perhaps the most daunting obstacle standing in the way of BCBS compliance is a need for cultural change within organizations, which Maranca says is crucial for firms to have the visibility and awareness necessary to fully understand their own internal workings.

“The culture around data has to change dramatically, and culture is the thing that is taking the longest to change,” Maranca says.

According to the Committee, there has not been enough emphasis from boards and top executives on setting up data governance plans or allowing data officers to complete compliance projects for the principles. As stated in its June review: “Principle one requires a bank’s group RDARR framework to be reviewed and approved by a bank’s board and senior management. However, at some banks, the RDARR frameworks had not been appropriately approved.”

Charlie Browne, head of market data and risk solutions for enterprise data management platform vendor GoldenSource, says top executives are reluctant to make changes to legacy data systems despite CDO, CFO, legal department, and front office reliance on good data for their chief functions.

“Executives have their own objectives and the bank has to earn capital, and sometimes when the technology doesn’t work, everyone is focused on that and data tends to have secondary importance,” Browne says.

The Committee reports that institutions that are fully compliant, or on their way there, are the ones collaborating throughout the organization to highlight the importance of data governance, as well as articulate the responsibilities of data officers and risk teams, and in turn, put policies in place to support those departments. “Where banks run into problems is when there is a lack of structured policies and frameworks, and there isn’t any accountability or authority assigned to data staff members,” the review states. 

Another source of delay is a failure to take accountability for the regulation requirements from all levels within an organization, says Ó Braonáin, because there is a lack of understanding what the regulation demands mean, or because the solutions involve stakeholders who have not been a part of the process in the past. These are major hurdles to completion of governance plans dependent upon significant review and stringent evaluations.

Ó Braonáin says firms can hire data specialists, but they will not get results if BCBS isn’t framed well and if data officers aren’t given the tools they need to properly implement and manage data projects.

“This is an exercise for everybody and everywhere in the organization to take their data more seriously. If firms have governance defined well and senior leadership understands it and knows why it’s there, that will be crucial,” he says.

Talk the Talk

Well-established communication initiatives from the risk and data departments to upper management are essential, says Maranca, because problems arise when CDOs or data officers are unable to express challenges in ways that the entire organization understands.

“Data officers need to be good at communicating simply what may be a bit obscure and complex, because the people at the top are continuously bombarded with new things and new data and they need time to digest that information. It is a duty for us, as data officers, to explain things better. It is a duty for boards to be curious about things within data programs. They need to understand it’s a voyage and a marathon, not a sprint,” he says.

Although communication within organizations can help push data techniques along, David Saul, senior vice president and chief scientist at State Street, says industry collaboration is paramount.

“One thing that we certainly learned from the financial crisis is that we’re all interconnected. No one organization is going to be able to solve this data governance problem on its own. It’s going to have to be a public–private partnership of all of us working together,” says Saul. “We’re exchanging data among ourselves, among the regulators, and receiving data from data providers. We need an industry-wide solution. I think the European Central Bank makes that point very strongly in their [May 2018] comments about BCBS 239.”

Ó Braonáin says without a descriptive way to put new systems and structures in place, a lot of banks are figuring out strategies as they go, and there are a lot of people with tech backgrounds doing a good job being “data evangelists,” but forgetting that BCBS 239 is a compliance project.

Ylitalo at FactSet says implementing new technological solutions for regulation is a tremendous challenge and often, regulators are not aware of practical issues involved.

“The view sometimes seems to be that we are in a big data world and there’s a tremendous amount of data available now, but the reality is that collecting and ensuring the quality of data that is needed—and even the work that vendors do, as well—is a costly process. All of this data isn’t just sitting out there for free waiting to be picked up, and the data that is sitting there for a free isn’t going to be the highest quality,” he says.

According to Ylitalo, integrating data from hundreds of sources just for asset-related data requirements is a problem even for FactSet, a software company that specializes in data management. There are difficulties in trying to obtain data for asset classes where there is not full coverage and significant data gaps exist in several asset classes, such as over-the-counter (OTC) derivatives. Latency, licensing, and sourcing from data vendors are significant cost burdens if something goes awry. Portfolio managers are also expected to aggregate data for a handful of securities, even if they make up a small part of their overall portfolio, which can be time-consuming and expensive.

Despite mounting technical challenges, the Committee expects firms to upgrade systems or to complete IT infrastructure projects. Replacing legacy systems can be costly, but changing systems for compliance can generate long-term value by producing high quality data, making future regulatory projects and risk metrics easier. Problems with data architecture can similarly be reduced by creating consistency throughout the departments by creating a standard set of definitions, Saul says.

“Firms are coming from a wide variety of legacy systems, so the solution needs to be able to cut across new technology, emerging technology, as well as legacy systems. Semantic data standards are a way to bridge that. Creating a semantic layer allows firms to move between technologies without sharing the physical data itself, but by sharing the meaning of that data,” he adds.

According to the Committee, banks that create a data dictionary and a single data repository or data warehouse for each risk type can create clear audit trails and provide data lineage necessary for compliance. Organizations that are fully compliant with RDARR principles have integrated data taxonomies and dictionaries built into their systems and across their entire global business units.

“Industry participants, regulators, vendors, standards organizations [need to] coalesce around semantic data technology. That’s a path to data harmonization and data harmonization directly leads to better data quality, which all banks want. That’s a universal goal and I think it’ll bring us a long way, not just for BCBS, but toward reducing overall systemic risk in preventing the kind of financial crisis that we had [in 2008]. None of us wants to go through that again,” says Saul.

Browne from GoldenSource says creating common identifiers for instruments will help make risk calculations easier, and putting in new systems to centralize sources will make future compliance projects smoother. He adds that in some instances, an organization has six different identifiers for the same counterparty, which creates confusion and muddles the data.

But the shift to a common language is another problem that could be attributed to organizational culture.

“The challenge with data quality is defining data quality for the entire organization and aligning the meanings,” Maranca says. Departments are reluctant to switch or it may take several months for the organization to agree on a uniform name for data types—for example, determining whether the UK should be expressed as “United Kingdom” or “UK.”

“Data is not a technical issue. Data is a language issue. When you have people in the company calling the same thing different things, you will always have a data quality problem,” says Maranca.

Quality Control

The key to managing data quality might lie in acknowledging that it will never be perfect, which can actually help firms control for imperfections and hold off on decisions so that strategies remediate and account for data flow failures.

“One hundred percent data quality for most things is quite difficult. Whereas what might be more than adequate is 95 percent correct and 5 percent tolerance, so firms know that 5 percent of the number will end up being a rounding error on the total anyway,” Ó Braonáin says.

That distinction matters, because a major concern with BCBS 239 noncompliance is how accurately a bank will evaluate risk with substandard data when the market is under extreme stress situations, such as when the European Union’s final decision on the UK’s exit from the EU will be handed down in March 2019.

“Sound and robust risk data aggregation capabilities and risk reporting practices have become even more important since the global financial crisis, which demonstrated that an institution’s ability to manage risk-related data has a significant impact on its overall risk profile and the sustainability of its business model, especially when such entities face economic, financial, competitive and regulatory headwinds,” the ECB states in its review.

Ylitalo says when faced with external events, such as Brexit, the industry needs to be resilient to change. “I’d be surprised if firms, even the firms that are fully compliant, have been able to build resilience into their governance for BCBS 239 purposes to accommodate an event like Brexit without some level of breakage,” he says. “Do companies have the capability and the right data, at the right time, in the right context, and at the right level to make fast decisions? Because unfortunately, when the Brexit final decision lands, firms are going to have to make quick decisions.”